Cisco ASA Site To Site VPN IKEv2 “Using CLI”
KB ID 0001429 Problem You want a secure IPSEC VPN between two sites using IKEv2. Note: If the device you are connecting to does not support IKEv2 (i.e. its not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article; Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI) Solution Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s...
Cisco ASA: Allow VPN Traffic “Through” A Cisco Firewall
KB ID 0001428 Problem I got asked to put in a VPN for a client, this week, it went from a simple site to site, to a site to site with a Fortigate firewall at one end, to a VPN from and ASA to a Fortigate ‘through’ another ASA. It’s been a few years since I had to tunnel  ‘through’ a firewall, and experience tells me, if you don’t have control of BOTH ends of a new VPN tunnel, anything that stops...
Cisco ASA: Group-Lock WARNING
KB ID 0001423 Problem You will see this error if you are pasting configuration into a Cisco firewall. This week I was manually converting an old 8.2 version firewalls configuration, to run on a modern (version 9) firewall, when I saw this; Petes-ASA(config)# username fred.bloggs attributes Petes-ASA(config-username)# group-lock value SOME-VALUE WARNING: tunnel-group SOME-VALUE does not exist Solution The reason you are seeing this...
Cisco ASA 5506-X: Bridged BVI Interface
KB ID 0001422 Problem When the ASA 5506-X appeared there was much grumbling, “This is not a replacement for the ASA 5505, I need to buy a switch as well!” Â and “I have six ports on the firewall I cant use” etc. While I understand that, and if truth be told the ASA 5505, was SUPPOSED to be used in SOHO environments where an all in one device, (with PoE) was a great fit. The problem was, people started throwing...
Cisco ASA: ‘Received an un-encrypted INVALID_COOKIE notify message, dropping’
KB ID 0001421 Problem Saw this in a forum today, and knew what it was straight away! While attempting to get a VPN tunnel up from a Cisco ASA (5508-x) to a Sonicwall firewall this was there debug output; Apr 06 00:45:21 [IKEv1]IP = x.x.x.x, IKE Initiator: New Phase 1, Intf Lan, IKE Peer x.x.x.x local Proxy Address 192.168.90.150, remote Proxy Address 10.252.1.1, Crypto map (Internet_map) Apr 06 00:45:21 [IKEv1 DEBUG]IP = x.x.x.x,...
Cisco WLC: EAP-TLS Secured Wireless with Certificate Services
KB ID 0001420 Problem Ah certificates! If I had a pound for every time I’ve heard “I don’t like certificates”, I could retire! The following run through is broken down into the following parts; Setup the Cisco WLC (WLAN) Setup NAP (RADIUS). Setup Certificate Auto Enrolment. Setup Group Policy to Deliver the Wireless Settings. Note: If you are scared of certificates, sometimes it’s easier to setup password...